This is part of a series of articles about email security in Microsoft 365. Please check out previous articles here:
These articles are based on a model I have previously created, which you can read about here:
designed to help better explain expansive security included with Microsoft 365.
Email reporting and auditing
It’s now time to look at all the logging that occurs during even the simply process of receiving and viewing an email. For starters there is:
Message trace in the Security & Compliance Center follows email messages as they travel through your Exchange Online organization. You can determine if a message was received, rejected, deferred, or delivered by the service. It also shows what actions were taken on the message before it reached its final status.
There is also reporting options like:
as well as:
If you want to specifically look at email security there is:
as well as:
I have also spoken about the importance of the Unified Audit Logs (UAL) in Microsoft 365:
and you need to ensure that these have been enabled so that you can:
Starting in January 2019, Microsoft is turning on mailbox audit logging by default for all organizations. This means that certain actions performed by mailbox owners, delegates, and admins are automatically logged, and the corresponding mailbox audit records will be available when you search for them in the mailbox audit log.
Here are some benefits of mailbox auditing on by default:
Auditing is automatically enabled when you create a new mailbox. You don’t need to manually enable it for new users.
You don’t need to manage the mailbox actions that are audited. A predefined set of mailbox actions are audited by default for each logon type (Admin, Delegate, and Owner).
When Microsoft releases a new mailbox action, the action might be automatically added to the list of mailbox actions that are audited by default (subject to the user having the appropriate license). This means you don’t need to monitor add new actions on mailboxes.
You have a consistent mailbox auditing policy across your organization (because you’re auditing the same actions for all mailboxes).
With this auditing enabled you can do things like:
as well as
Many of the reports that you find in the Microsoft 365 Admin area can be scheduled to be sent via email per:
Apart from auditing and security you can also do more typical things like:
The availability of all this data is covered here:
typically being 90 days.
User reporting and auditing
For information more specifically about user logins into the service and the Identity container, the best place to look is in Azure Active Directory (AD).
and if you want use PowerShell
Device reporting and auditing
There are lots of options when it comes to monitoring and reporting on devices. Apart from what is offered locally you also have:
You can even get telemetry data and analytics reports from your desktop applications via:
Aggregated data reporting and monitoring
As you can see with all the options above, it is easy to get to information overload trying to keep up with all those signals. Luckily Microsoft provides a range of services to aggregate all this for you to make monitoring and report easier.
The first is Microsoft Cloud App Security services:
There are plenty of reasons why you really should have Microsoft Cloud App Security in your environment:
Next, is Microsoft Defender for Endpoint that will aggregate security and threat information for devices in your environment and make it available in a single console.
Finally for me, there is Azure Sentinel, which I see as really the ultimate hub for event reporting, monitoring and alrtign across the whole service.
Azure Sentinel is a service that growing in features rapidly:
Hopefully, all this gives you some insight into all the auditing and usage data that Microsoft 365 captures during any interaction within the service. One of the biggest benefits is also how this information is integrated between services, especially those that aggregate information lime Microsoft Cloud App Security and Azure Sentinel. This means you don’t have to crawl through individual log entries, you can use a dashboard and drill down from there. I also like the fact that all of these services and data are accessible using a scripting tool like PowerShell if you want to automate this further.
Remember, throughout this six part series I’ve just looked at what happens when a single email is delivered and view with Microsoft 365. If you expand that out to all the services and capabilities that Microsoft 365 provides you can hopefully get a better appreciate of the protection it provides in place for your data on many different levels.
The call to action for readers is to go away and implement all the security features that Microsoft 365 provides. This may of course vary by the license that you have. You should then consider what additional security offerings the Microsoft cloud stack can offer that makes sense for your business, then implement those. Remember, security is not a destination, it is journey.